baoshuo/S2OJ
baoshuo/S2OJ
1
1
Fork 0
mirror of https://github.com/renbaoshuo/S2OJ.git synced 2024-11-22 19:28:41 +00:00
Code Issues Actions Packages Releases Activity

fix: search box position and security change

Browse Source 
This commit changes the search box up the paginator, and fixes a security problem.

ATTENTION! The version which has search box MUST update to the newest version IMMEDIATELY, the old version did not process the escape of the string, may cause SQL injection problems.
This commit is contained in:
MascoSkray 2017-06-28 13:32:44 +08:00
parent 4fd63e8070
commit b77834a182
No known key found for this signature in database
GPG Key ID: 6ABABD8325167A2E
1 changed files with 9 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
uoj/1/app/controllers/problem_set.php
View File

@ -56,7 +56,6 @@ EOD;
$cond = array(); $cond = array();
$search_tag = null; $search_tag = null;
$search_word = $_GET["search"];
$cur_tab = isset($_GET['tab']) ? $_GET['tab'] : 'all'; $cur_tab = isset($_GET['tab']) ? $_GET['tab'] : 'all';
if ($cur_tab == 'template') { if ($cur_tab == 'template') {
@ -68,8 +67,8 @@ EOD;
if ($search_tag) { if ($search_tag) {
$cond[] = "'".DB::escape($search_tag)."' in (select tag from problems_tags where problems_tags.problem_id = problems.id)"; $cond[] = "'".DB::escape($search_tag)."' in (select tag from problems_tags where problems_tags.problem_id = problems.id)";
} }
if($search_word) { if (isset($_GET["search"])) {
$cond[]="title like '%".$search_word."%' or id like '%".$search_word."%'"; $cond[]="title like '%".DB::escape($_GET["search"])."%' or id like '%".DB::escape($_GET["search"])."%'";
} }
if ($cond) { if ($cond) {
@ -136,7 +135,12 @@ EOD;
<?= HTML::tablist($tabs_info, $cur_tab, 'nav-pills') ?> <?= HTML::tablist($tabs_info, $cur_tab, 'nav-pills') ?>
</div> </div>
<div class="col-sm-4"> <div class="col-sm-4">
<?php echo $pag->pagination(); ?> <form id="form-search" class="input-group form-group" method="get">
<input type="text" class="form-control" name="search" placeholder="<?= UOJLocale::get('search')?>" />
<span class="input-group-btn">
<button type="submit" class="btn btn-search btn-primary" id="submit-search"><span class="glyphicon glyphicon-search"></span></button>
</span>
</form>
</div> </div>
<div class="col-sm-4 checkbox text-right"> <div class="col-sm-4 checkbox text-right">
<label class="checkbox-inline" for="input-show_tags_mode"> <label class="checkbox-inline" for="input-show_tags_mode">
@ -149,12 +153,7 @@ EOD;
</div> </div>
<div class="row"> <div class="row">
<div class="col-xs-10 col-xs-push-1 col-sm-6 col-sm-push-3 input-group"> <div class="col-xs-10 col-xs-push-1 col-sm-6 col-sm-push-3 input-group">
<form id="form-search" class="input-group form-group" method="get"> <?php echo $pag->pagination(); ?>
<input type="text" class="form-control" name="search" placeholder="<?= UOJLocale::get('search')?>" />
<span class="input-group-btn">
<button type="submit" class="btn btn-search btn-primary" id="submit-search"><span class="glyphicon glyphicon-search"></span></button>
</span>
</form>
</div> </div>
</div> </div>
<div class="top-buffer-sm"></div> <div class="top-buffer-sm"></div>